chore(deps): bump @cashu/cashu-ts from 3.5.0 to 3.6.0 #186
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [master] | |
| pull_request: | |
| branches: [master] | |
| jobs: | |
| security: | |
| name: Security Scans | |
| runs-on: ubuntu-latest | |
| env: | |
| ARXMINT_SECURITY_GATE_MODE: ${{ vars.SECURITY_GATE_MODE }} | |
| ARXMINT_SECURITY_CANARY_BRANCHES: ${{ vars.SECURITY_CANARY_BRANCHES }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Resolve security gate mode | |
| id: security_mode | |
| shell: bash | |
| run: | | |
| set -euo pipefail | |
| mode="${ARXMINT_SECURITY_GATE_MODE:-observe}" | |
| mode="$(printf '%s' "$mode" | tr '[:upper:]' '[:lower:]')" | |
| case "$mode" in | |
| off|observe|enforce) ;; | |
| "") | |
| mode="observe" | |
| ;; | |
| *) | |
| echo "::warning::Invalid SECURITY_GATE_MODE '$mode'; defaulting to observe" | |
| mode="observe" | |
| ;; | |
| esac | |
| if [[ "$mode" == "observe" && -n "${ARXMINT_SECURITY_CANARY_BRANCHES:-}" ]]; then | |
| IFS=',' read -r -a branches <<< "${ARXMINT_SECURITY_CANARY_BRANCHES}" | |
| for branch in "${branches[@]}"; do | |
| trimmed="$(printf '%s' "$branch" | xargs)" | |
| if [[ -n "$trimmed" && "$trimmed" == "${GITHUB_REF_NAME:-}" ]]; then | |
| mode="enforce" | |
| break | |
| fi | |
| done | |
| fi | |
| echo "mode=$mode" >> "$GITHUB_OUTPUT" | |
| echo "ARXMINT_EFFECTIVE_SECURITY_MODE=$mode" >> "$GITHUB_ENV" | |
| echo "Security gate mode: $mode" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Runtime artifact guardrails (tracked files) | |
| if: ${{ steps.security_mode.outputs.mode != 'off' }} | |
| run: bash scripts/security/guardrails.sh --scope tracked --mode "${{ steps.security_mode.outputs.mode }}" | |
| - name: Dependency audit (high+) | |
| if: ${{ steps.security_mode.outputs.mode != 'off' }} | |
| shell: bash | |
| run: | | |
| set +e | |
| npm audit --audit-level=high | |
| rc=$? | |
| set -e | |
| if [[ "$rc" -ne 0 && "${{ steps.security_mode.outputs.mode }}" == "enforce" ]]; then | |
| echo "::error::npm audit failed in enforce mode" | |
| exit "$rc" | |
| fi | |
| if [[ "$rc" -ne 0 ]]; then | |
| echo "::warning::npm audit findings detected (observe mode)" | |
| fi | |
| - name: Secret scan (gitleaks) | |
| if: ${{ steps.security_mode.outputs.mode != 'off' }} | |
| id: gitleaks | |
| continue-on-error: ${{ steps.security_mode.outputs.mode != 'enforce' }} | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Security mode summary | |
| if: always() | |
| run: | | |
| echo "Security mode: ${{ steps.security_mode.outputs.mode }}" | |
| echo "Gitleaks outcome: ${{ steps.gitleaks.outcome || 'skipped' }}" | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| needs: [security] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npm run lint | |
| - name: Enforce no-silent-catch policy | |
| run: npm run lint:silent-catch | |
| - name: Enforce structured server logging | |
| run: npm run lint:server-logging | |
| type-check: | |
| name: Type Check | |
| runs-on: ubuntu-latest | |
| needs: [security] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Generate Prisma client | |
| run: npx prisma generate | |
| - name: Type check | |
| run: npx tsc --noEmit | |
| migration-verify: | |
| name: Migration Verify | |
| runs-on: ubuntu-latest | |
| needs: [security] | |
| services: | |
| postgres: | |
| image: postgres:16 | |
| env: | |
| POSTGRES_PASSWORD: postgres | |
| POSTGRES_DB: arxmint_ci | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd "pg_isready -U postgres" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 10 | |
| env: | |
| DATABASE_URL: postgresql://postgres:postgres@localhost:5432/arxmint_ci?schema=public | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Apply Prisma migrations | |
| run: npx prisma migrate deploy | |
| - name: Verify migration status | |
| run: npx prisma migrate status | |
| build-and-test: | |
| name: Build & Unit Tests | |
| runs-on: ubuntu-latest | |
| needs: [security, migration-verify] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Generate Prisma client | |
| run: npx prisma generate | |
| - name: Build | |
| run: npm run build | |
| - name: Validate Prometheus alert rules | |
| run: | | |
| docker run --rm \ | |
| -v "${{ github.workspace }}:/workspace" \ | |
| -w /workspace \ | |
| --entrypoint /bin/promtool \ | |
| prom/prometheus:v2.55.0 \ | |
| check rules docker/prometheus-alerts.yml | |
| - name: Run unit tests | |
| run: npm test | |
| e2e: | |
| name: E2E Tests | |
| runs-on: ubuntu-latest | |
| needs: [build-and-test] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Start regtest Docker stack | |
| run: npm run setup:regtest | |
| env: | |
| GRAFANA_PASSWORD: ci-regtest-only | |
| POSTGRES_PASSWORD: ci-regtest-only | |
| CASHU_PRIVATE_KEY: 0000000000000000000000000000000000000000000000000000000000000001 | |
| - name: Wait for app health | |
| run: | | |
| for i in {1..60}; do | |
| if curl -fsS http://localhost:3000/api/health > /dev/null; then | |
| exit 0 | |
| fi | |
| sleep 5 | |
| done | |
| echo "App did not become healthy in time" | |
| docker compose ps || true | |
| docker compose logs --tail=200 || true | |
| exit 1 | |
| - name: Run E2E tests | |
| run: npm run test:e2e:required | |
| env: | |
| TEST_SERVER_URL: http://localhost:3000 | |
| TEST_LND_REST_URL: http://localhost:8080 | |
| TEST_CASHU_MINT_URL: http://localhost:3338 | |
| - name: Run optional E2E tests (non-blocking) | |
| continue-on-error: true | |
| run: npm run test:e2e:optional | |
| env: | |
| TEST_SERVER_URL: http://localhost:3000 | |
| load-smoke: | |
| name: Load Smoke Test | |
| runs-on: ubuntu-latest | |
| needs: [build-and-test] | |
| # Non-blocking until baselines are established | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Generate Prisma client | |
| run: npx prisma generate | |
| - name: Start dev server | |
| run: npm run dev & | |
| env: | |
| DATABASE_URL: "" | |
| NEXTAUTH_SECRET: ci-load-test-secret | |
| - name: Wait for server | |
| run: | | |
| for i in {1..30}; do | |
| if curl -fsS http://localhost:3000/api/health > /dev/null 2>&1; then | |
| echo "Server ready" | |
| exit 0 | |
| fi | |
| sleep 2 | |
| done | |
| echo "Server did not start in time" | |
| exit 1 | |
| - name: Run smoke load test | |
| run: npm run test:load:smoke | |
| container-build: | |
| name: Container Build | |
| runs-on: ubuntu-latest | |
| needs: [build-and-test] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build production image | |
| run: docker build -t arxmint:ci . | |
| - name: Generate CycloneDX SBOM | |
| run: npx @cyclonedx/cyclonedx-npm --output-file sbom.cdx.json --ignore-npm-errors --package-lock-only | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Sign and verify SBOM (keyless) | |
| env: | |
| COSIGN_YES: "true" | |
| run: | | |
| cosign sign-blob \ | |
| --output-signature sbom.cdx.sig \ | |
| --output-certificate sbom.cdx.pem \ | |
| sbom.cdx.json | |
| cosign verify-blob \ | |
| --signature sbom.cdx.sig \ | |
| --certificate sbom.cdx.pem \ | |
| --certificate-identity-regexp "https://github.com/.+" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| sbom.cdx.json | |
| - name: Upload SBOM artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-cyclonedx | |
| path: sbom.cdx.json | |
| - name: Upload SBOM signature artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-signature | |
| path: | | |
| sbom.cdx.sig | |
| sbom.cdx.pem |